LinkedIn, one of the biggest professional social networks, has suffered a major breach of its user password database. The attack was confirmed on Wednesday afternoon by Vicente Silveira, Director at LinkedIn, and was followed by an apology to the affected LinkedIn users who now have a hacked password.
A file containing nearly 6.5 million hacked passwords was published on a Russian online forum. At first, no one was 100% sure where the passwords came from, but soon it became apparent that many of these passwords were associated with LinkedIn accounts.
“Many of the cracked passwords that have been published to the forum have the common term ‘LinkedIn’ in them,” said security adviser, Per Thorsheim, to PCWorld. Sophos, computer security software developers, also came to this conclusion when they noticed some of their employees passwords on the hacked password list.
Imperva, a leading data security organisation, suspects that the breach may have exposed more than the reported 6.5 million accounts because the published hacked password list does not include common, easy to guess passwords such as “123456”. The list the attacker has released contains hard to guess passwords and the reason he released it, is to gain external help to crack the complex passwords. It also only lists each password once, not revealing if that same password was used for more than one account.
No other user information or data, such as email addresses, was included in the hacked password list, but it is likely that the hackers also have that information.
LinkedIn has already taken action - owners of the compromised passwords or with passwords that are considered to be at great risk of being cracked will be required to reset their password. LinkedIn will be sending emails to such users with instructions on how to reset their password, as well as an explanation of the security incident.
Many people tend to use simple passwords, such as ‘password’, ‘secret’ or ‘123456’. Some people include the name of the website they are signing up to in their password itself, for example ‘1234LinkedIn’. Since such passwords tend to be common, it makes them very easy to guess or crack.
What is a Hashed Password?
Before passwords are stored they are encoded using SHA-1 hashing algorithm so not to be stored as plain text. SHA-1 hash algorithm converts a password into a unique long value, made of numbers and letters. For instance, the output of SHA-1 algorithm using the text ‘AcunetixWVS’ will always be ‘e77a2fe8046bb6566c8a7adf782f0bbafa6e04c7’.
If LinkedIn had ‘salted’ the leaked users’ passwords, it would have been almost impossible to crack them. ‘Salting’ is the process of adding a value in the hash operation and to the calculation of the hashed value. This makes guessing the password much more difficult as the ‘salt’ value must be discovered as well as the actual password. Mary Landesman, senior security researcher at Cloudmark, a messaging security company, said that not salting passwords is considered to be poor practice. LinkedIn has put new security measures in place, including salting techniques.
It is strongly recommended that LinkedIn users promptly change their passwords. Users should make sure they use strong web passwords, which are unique and not used on other websites or for other accounts they may have.
This security breach is a timely reminder that every company, no matter how big, can be vulnerable to an online attack that can severely damage their reputation. Ensure your website is secure by using Acunetix Web Vulnerability Scanner – download your free trial here.